The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is a sophisticated malware used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they cause significant damage.
YARA Rule
rule IMPLANT_2_v11 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53
56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68
[4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27}
condition:
(uint16(0) == 0x5A4D) and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance task using PowerShell to clean temporary files
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%Clear-Item%'
Scenario: Admin using PsExec to remotely execute a legitimate script for patching
Filter/Exclusion: process.name != "psexec.exe" OR process.args NOT LIKE '/s /h %patch_script.ps1%'
Scenario: Automated backup job using Robocopy to copy files to a network share
Filter/Exclusion: process.name != "robocopy.exe" OR destination NOT LIKE '\\backupserver\share\%'
Scenario: IT staff using Windows Task Scheduler to run a legitimate monitoring script
Filter/Exclusion: process.name != "schtasks.exe" OR task_name NOT LIKE 'Monitor-*'
Scenario: User running PowerShell to configure a legitimate system setting via Group Policy
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '-Command Set-GPRegistryValue'